LocationSmart Leaked Customers' Location Data Without Consent, User Authentication

Security researchers discovered and reported that an API vulnerability in LocationSmart’s free online demonstration tool could leak real-time location data of US telecommunication companies’ customers via mobile phone tracking. In relation, another company – Securus Technologies – was earlier reportedly breached by hackers who stole up to 2,800 credentials of law enforcement officers across the United States. The company was reportedly using LocationSmart’s service features to sell or give away data of mobile network subscribers to a Mississippi County sheriff's office.

[Read: Expert: Smartphone location tracking may bolster enterprise security]

LocationSmart’s website allowed potential customers to use a free demonstration tool online to track the approximate location of mobile devices by entering their name, email address, and phone number into a form. A text is sent to the phone number provided to request permission to ping the nearest cellular tower of major wireless carriers in the country for tracking and text the subscriber their estimated longitude and latitude via Google maps after providing consent.

[Read: Identity theft and the value of your personal data]

However, Carnegie Mellon University PhD candidate Robert Xiao of the Human-Computer Interaction Institute reported that the service failed to check for basic authentication for anonymous and unauthorized requests. This means any other user who has the required basic information could easily search for a mobile number’s current location without providing any credentials. With his contacts’ consent, Xiao tested the query via the insecure API and was able to track his friends’ locations and directions while on the road within minutes. His contacts also sent feedback that the location coordinates were highly accurate, ranging from within a hundred yards of their real-time location to a little more than a mile.

[Read: How much is your personal data worth?]

According to LocationSmart’s privacy policy, they also store other technical data such as speed, heading, and IP address information among others, to provide accurate geo-targeted promotions for marketers, IoT assets, and tracking of business personnel in the field. While the free demo tool has since been closed, further research into archives indicated that the feature might have dated back to mid-2011 under a different company name. In a statement, LocationSmart “confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission.” Xiao reported the vulnerability to the United States Computer Emergency Readiness Team (US-CERT) upon discovery, and while wireless carriers are not allowed to provide location data to government agencies, current laws state that they can sell that data to businesses. Various groups and Congress members have noted the need for reevaluation and stricter policies concerning privacy because of this incident and the Securus Technologies data breach.

[Read: Privacy and security: A study of US, European and Japanese consumers]

Aside from making sure that their online apps and service features work, businesses should be concerned with securing their customers’ data and information. Likewise, individual mobile device owners should be concerned about the information they share online. Here are a few recommendations for ensuring online privacy and safety:

For enterprises:

  • Enable additional authentication measures for internal and external queries for information. While extra authentication methods are not foolproof, it is better to have an additional layer of security than none.
  • Install patches and updates. Enterprises should regularly patch and update all systems to remove or reduce vulnerabilities that cybercriminals can exploit.

For individuals:

  • Think before you post. Cybercriminals can easily browse social media to gain information about potential victims. Check your privacy settings and set to private all identifiable personal details.
  • Check for app and software permissions. Refrain from approving permissions that take more information from users than required, and download apps and programs only from legitimate vendors.

 

Trend Micro’s Mobile Security solutions provide updated and 24/7 safety and security wherever you are. With an increasingly mobile workplace and workforce, it is now more important to protect sensitive information while they are on the go, leveraging the use of technology for increased productivity. Enterprises can achieve that balance for protection strategy while gaining visibility and control, streamlining and simplifying communications and management no matter where you are in the world.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Veröffentlicht in Vulnerabilities & Exploits, Privacy